Today I learned

Well… Technically I learned about that more than 10 years ago. I just found this file sitting in some directory, and thought it was fun to publish it without further proof reading.

❯ ls -l chris-learned-netns.txt
-rw-r--r-- 1 chris chris 8431 Aug 28  2015 chris-learned-netns.txt

The idea was to run some systemd.service in a different network namespace. Basically I want to control the outbound ip of my mailserver stuff, without containering it entirely (no docker, systemd-nspawn, whatever). This is more or less philosopical stuff. IMHO there is a systemmanager… called systemd… taking care about my services. And I just want to run a few services. I’m still thinking about going for systemd-nspawn in case of my mailserver, to be at least able to use systemctl -M to connect from the outside to the inner systemd. Sure, a SNAT to dport 25 would do a good job as well. But for the fun of it.

However, this is absolutely a proof of concept, and most important, I learned lots of stuff. Oh. My focus was ipv6, but this works with ipv4 the same way. Pretty much of the stuff was stolen from the docker networking documentation https://docs.docker.com/articles/networking/#ipv6.

All the examples worked on debian/jessie and arch linux.

So, first of all I thought there may be a stanza in systemd.services to do this. But in fact, it is just possible to start services with lo only. Currently, there is PrivateNetwork=true and JoinsNamespaceOf=… But this is not general enough to join a specific network namespace. Have a look at: http://comments.gmane.org/gmane.comp.sysutils.systemd.devel/15892

However, this is not the most complicated thing with this idea. For postfix I just have to edit the (systemd auto generated) postfix.service, but more on this later. The more challenging stuff is to create the network namespace, assign an interface into it, assign an ip and get the routing stuff done. So, for reasons with my hoster, I wanted to stay with routed network instead of bridged stuff. Bridged stuff in terms of: one system bridge with eth0 assigned to it. I wanted to set public ips to the “containered” interface.

First of all, create a bridge anyway. To this, one part of the veth will be assigned. Install bridge-utils to get brctl.

# brctl addbr br0
# ip link add veth0 type veth peer name veth1
# ip a

...
6: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 92:40:3a:f7:d0:37 brd ff:ff:ff:ff:ff:ff
7: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 7e:13:29:35:6c:f0 brd ff:ff:ff:ff:ff:ff
8: br0@NONE: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 2a:9b:07:6e:36:04 brd ff:ff:ff:ff:ff:ff

At this point, there are br0, veth0 and veth1 in the output of ip a. All DOWN. Assign veth0 to the bridge br0.

# brctl addif br0 veth0
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.06daacc6f10a no veth0

Bringing br0 and veth0 up. Depending on the driver, the devices are up instandly, or if ip addresses are assigned to. However.

# ip link set br0 up
# ip link set veth0 up

Next step is to create our network namespace and assign the other half of the veth into this namespace.

# ip netns add mailserverns
# ip link set veth1 netns mailserverns name eth0

Now there should be an interface in mailserverns and veth1 should be gone. (veth0 is still there!)

# ip a | grep veth1
# ip netns exec mailserverns ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: eth0@if7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 92:40:3a:f7:d0:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0

We assigned veth1 as eth0 to mailserverns \o/

Before we start with the address and routing stuff, we should set some kernel parameters to enable forwarding and proxying arp and stuff for neighbor discovery

# sysctl -w net.ipv4.conf.all.forwarding=1
# sysctl -w net.ipv4.conf.all.proxy_arp=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# sysctl -w net.ipv6.conf.eth0.proxy_ndp=1

Lets start with the host configuration. First of all, assign a lokal link address to br0 in order to use this as a default gateway from within the namespace. Again, I took this from the docker documentations.

# ip addr add fe80::1/64 dev br0

the route is generated automatically:

# ip -6 r s
fe80::/64 dev br0 proto kernel metric 256

Now… assuming, your ipv6 prefix is 2001:db8::/64, you have to slice it down. This is up to you. If you just need one address. Take a /128. I use 2001:db8::1ce:c01d:bee2/128 as an example.

In a different terminal, I just “join” into the network namespace. Just to only type the command instead of ip netns exec mailserverns COMMAND, each time.

# ip netns exec mailserverns bash
# (mailserverns) ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: eth0@if7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 92:40:3a:f7:d0:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Enable the interface eth0. The route to fe80::/64 is created automatically.

# (mailserverns) ip link set eth0 up
# (mailserverns) ip -6 r s
fe80::/64 dev eth0 proto kernel metric 256

At this point, fe80::1 should be reachable

# (mailserverns) ping6 -I eth0 fe80::1
PING fe80::1(fe80::1) from fe80::9040:3aff:fef7:d037 eth0: 56 data bytes
64 bytes from fe80::1: icmp_seq=1 ttl=64 time=0.111 ms

So we can use this as the default gateway.

# (mailserverns) ip r add default via fe80::1 dev eth0

Lets assign the official address to our namespaced eth0

# (mailserverns) ip addr add 2001:db8::1ce:c01d:bee2/128 dev eth0

Thats pretty much it, from within the network namespace, even a ping is not yet working. Outside of it, in the “real” system, we have to tell the kernel about this ip.

# ip route add 2001:db8::1ce:c01d:bee2/128 dev br0
# ip -6 neigh add proxy 2001:db8::1ce:c01d:bee2 dev eth0

First one, tells where (on which bridge) the network will be found. This works for larger than /128 as well. But at least, you have to slice your host network! Second one, tells the host to proxy the neighbor 2001:db8::1ce:c01d:bee2 on hosts physical eth0. With this, the host says. “This ip belongs to my eth0”. This is NOT the eth0 of the namespace! Have a look at: IPv6 – Proxy the neighbors (or come back ARP – we loved you really) https://www.ipsidixit.net/2010/03/24/239/

Now. Ping from within the namespace should work.

# (mailserverns) ping6 google.com
PING google.com(fra02s27-in-x03.1e100.net) 56 data bytes
64 bytes from fra02s27-in-x03.1e100.net: icmp_seq=1 ttl=54 time=28.5 ms

Wohooo \o/

Testing a ping from another host in my network:

[mpd@leierkasten ~]$ ip -6 a s dev wlan0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8::20f:54ff:fe0c:114b/64 scope global mngtmpaddr dynamic
valid_lft 6943sec preferred_lft 929sec
[mpd@leierkasten ~]$ ping6 2001:db8::1ce:c01d:bee2
PING 2001:db8::1ce:c01d:bee2(2001:db8::1ce:c01d:bee2) 56 data bytes
64 bytes from 2001:db8::1ce:c01d:bee2: icmp_seq=1 ttl=62 time=456 ms

ATTENTION: None of the above is persistent in any way!

So close. Now lets customize the postfix.service and extend each start-stop-call by ip netns exec mailserverns.

# systemctl stop postfix
# cp /run/systemd/generator.late/postfix.service /etc/systemd/system/postfix.service
# vi /etc/systemd/system/postfix.service

...
ExecStart=/bin/ip netns exec mailserverns /etc/init.d/postfix start
ExecStop=/bin/ip netns exec mailserverns /etc/init.d/postfix stop
ExecReload=/bin/ip netns exec mailserverns /etc/init.d/postfix reload
...

# systemctl daemon-reload
# systemctl start postfix

Verify with netstat. No :25 should be listed.

# netstat -lntp

...

Since it is running in the network namespace.

# ip netns exec mailserver netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:587 0.0.0.0:_ LISTEN 9473/master
 tcp 0 0 0.0.0.0:25 0.0.0.0:_ LISTEN 9473/master
 tcp6 0 0 :::587 :::_ LISTEN 9473/master
 tcp6 0 0 :::25 :::_ LISTEN 9473/master

Long story short. On my gravel bike, a Canyon Grizl from 2024, every paddle stroke on the left side caused a creak. Those kinds of creaks that are hard to spot. In the past, I experienced similar creaks caused by the seat post (not even kidding). With a friend riding next to me, we were able to limit the creaky area down to something at the bottom bracket area.

Luckily, it was as easy as removing the left paddle and apply a bit of grease to the threads of the spindle.

Recently I witnessed a discussion between several parties about documentation, where to put it, single source of truth for everything, not writing about the same topic twice (even if there are multiple different audiences). Surprisingly, again there is no silver bullet 🤷

However, in my humble opinion, there is a way to make documentation better. To make it easier for people to start documenting. For having better indices, better search, and what not. People can even study this stuff in universities. These folks are called librarians, and every company should hire some.

If some service implements org.freedesktop.LogControl1 and defines a BusName, the log level of the service can be changed on the fly. For example systemd-networkd:

systemctl service-log-level systemd-networkd.service debug

Note: This is a pretty incoherent write up about what happens to be in my head on two different days. Maybe it is useful nevertheless 🤷

From time to time, I write operator (or controller) for Kubernetes. Primarily using go and thus using controller-runtime, either through kubebuilder or operator-sdk. The idea behind operator is reconciling something (let’s say an external resource) to the desired state. See Operator Pattern and Concepts Controllers.

In short terms: An operator observes the desired state in kube-apiserver and tries to “move” the resource to match the desired state. When it comes to controller-runtime, the logic is implemented in the method Reconcile.

It often times is desired, to only run a single instance of the operator. When dealing with idempotent APIs, one run multiple instances, but in general it is recommended to only have a single “active” instance in the cluster. Creating the boilerplate with kubebuilder or operator-sdk, a Leader Election will be created automatically. Thus, a failed instance will be taken over after a while.

Why is that important?

Imagine the operator can talk to an API to create a loadbalancer (we only can use that API, but can’t change any of it). The only field the API provides is a name for the loadbalancer. The create request returns an UUID, over which the loadbalancer would be identifiable. In an ideal world, the operator would create a loadbalancer, get back the UUID and store it somewhere for further processing.

uuid = db.get(lbUUID)
lb = api.get_lb(uuid)
if not lb:
  uuid = api.create_lb(name)
  db.store("lbUUID", uuid)
  lb = api.get_lb(uuid)

Looks reasonable, but has some shortcomings. Because there are no transactions between the various applications and APIs, the code could fail at any point in time. Fail not in terms of, the application as it fails, but fails because of external circumstances (OOM, node failure, etc.) For example, after/during calling create_lb. There was just no time to retrieve and store the UUID. The next reconcilation loop would create another loadbalancer, and now we maybe end up with two or more instances we need to pay for. Sometimes the code could end up in an error. For example because a port is already used by another loadbalancer instance. What would be the correct action? Adopting the loadbalancer? Erroring and retry? Probably the latter one. Because, who knows what or how created the loadbalancer in the first place.

The idea behind operator is that the program observes the world, try to move the world into the direction of the desired state, and store the observed state into the status field. It is not necessarily a good idea to store observed state somewhere for identification purposes. Even though there are examples, that do kind of that when storing things like providerID. However, in the world of Kubernetes cloud-provider, the provider deliberately is very limited in what it can do. For instance, the reconciler code for the loadbalancer has no access to Kubernetes.

So the best some reconciler sometimes get is a name. And must deal with the challenges of the external API.

lbs = api.list_lbs(filter = {"name": name})
if lbs:
  lb = lbs[0]
else:
  lb = api.create_lb(name)

Here are dragons again. The API does allow multiple loadbalancer with the same name. Every other method of identifying the object might be flawed in some way, or will suffer from the same problems. For example. If the API lets us set tags on resources, but doesn’t allow it in the create call, we are back at square one.

Even still pretty unsatisfying from a purists perspective, running a single instance of the operator is probably the best solution. Especially if otherwise one would introduce distributed consensus on what to create when and where. There are always trade-offs. Depending on the use case, it might be sufficient to only pick result[0], sometimes you might want to be more conservative and return an error if you get more results than one. You have to make those decisions, there is no way to get around them.

So far, we took look at operators and some of the challenges, especially if it comes to concurrently running processes. But do we suffer from the same problem when we are in the same process? In some cases, a single reconciliation is enough. If there are infrequent updates/changes to the source, and or one run of the loop is fast. But when we think back to the loadbalancer example. Imagine each reconciliation takes 30 seconds. If you create 10 loadbalancer at the time, it would take 300 seconds to create all of them, even though, in theory the API would be able to create 10 in parallel without problems.

Let’s take a look at the interface of a Kubernetes reconciler

type Reconciler = TypedReconciler[Request]

type TypedReconciler[request comparable] interface {
	// Reconcile performs a full reconciliation for the object referred to by the Request.
	//
	// If the returned error is non-nil, the Result is ignored and the request will be
	// requeued using exponential backoff. The only exception is if the error is a
	// TerminalError in which case no requeuing happens.
	//
	// If the error is nil and the returned Result has a non-zero result.RequeueAfter, the request
	// will be requeued after the specified duration.
	//
	// If the error is nil and result.RequeueAfter is zero and result.Requeue is true, the request
	// will be requeued using exponential backoff.
	Reconcile(context.Context, request) (Result, error)
}

For each event, no matter if it is create, update, delete, some generic event, the Reconcile method will be called. You will only see the request object, not what happened, not what state was there before, nor the change. Remember? The idea is to grab the desired state, drive the resource towards it, and record what you observed along the way.

But does that mean, we are really called for each and every event? Like… create of the Kubernetes Resource, which leads to creating the external resource. During that time, someone is editing the labels on the Kubernetes Resource. Would that result in the same difficulties described above?

When running a single Reconcile at any times, certainly not. The second event would be “batched”, and feed to the reconciler as soon as the previous run of Reconcile finished. Is it a good idea to crank up MaxConcurrentReconciles up to lets say 10? See Controller Options. Or do we need to implement something to coordinate execution of reconciles somehow. Certainly easier to do in the same process as opposed to do it distributed. But is it necessary?

The short answer is No. You don’t have to implement it. But not because the problem does not exist, but rather because of the workqueue used internally, provided by client-go. See Learning Concurrent Reconciling (from 2019) for more details.

If you need to have more than one Reconcile at the time, because of durations or number of objects in Kubernetes, you can tune MaxConcurrentReconciles. controller-runtime with help of workqueue will take care, that only one Reconcile per object is running.

Let’s do a quick detour back the events #

I mentioned that the reconciliation function is called for events happening. There are ways to filter events, and you can decide on which events you would like to be called, depending on you use case. Sometimes, it makes sense to store a condition with a field observedGeneration, recording the metadata.generation of the last successful and complete reconciliation. You would then filter out all events where metadata.generation == observedGeneration, to not reach out to external APIs and hit some rate limit in the process.

Sometimes, if you code for instance sets routes in the system, you might always return with RequeueAfter. Checking and setting routes is pretty fast, and there are no real rate limits in place. So it might be better to make sure a route is in place, lets say every 30 second, over accidentally not having the route at all. Either by a bug in the code, or because someone/something removed it. This kind of reconciliation would also run with MaxConcurrentReconciles = 1, so there are no two route altering processes at a time. Sure, you could watch netlink events in a separate goroutine and create a GenericEvent. However, this would need additional book keeping between the route and your object. The effort might not be worth it. But again, everything depends on your use case.

Reaching out for checking and maybe creating/updating an s3 bucket might not be worth doing it over and over again. Here you would likely use the observedGeneration pattern.

You could even watch on other objects and reconcile your real object. When there are ownerReferences, kubebuilder can do it pretty automatically by using .Owns(...). But even if you watch some object without real (or directly visible) relation to you object, .Watches(…) in combination with the correct enqueue function, can do exactly this. Your code “just” needs to be capable of drawing the line between the observed object and your actual ones.

Resources #

I strongly encourage you to have a look at the kubebuilder book for inspiration. Also check kubernetes API conventions. If you would like to see a real world example with several objects involved, take a look at cluster-api.

Updates #

In the recent edition of golangweekly I came across So you wanna write Kubernetes controllers by ahmentb. Much more thought out than what I am capable of.

A bit later then all the cool kids, I tried ghostty (on Linux), and I really like it.

Configuration and how to use the same options in the config file and as command line parameters is a breeze. I find ghosttys options to be very discoverable and the manpage works really well for me. I didn’t do much customization, but set up a light and a dark theme. Opted for rose-pine-dawn for light and rose-pine-moon. A good combination, but often times not supported by various terminals. Additionally some minor tweaks to keybinds.

I would say, I am a tmux user for decades… what can’t be really true, because it’s initial release was in late 2007, and I’m not sure that I was on it from the beginning. However, I used both screen and tmux, and even gave zellij a try. ghostty is the first terminal that seemingly makes a terminal multiplexer redundant for me, because I don’t use too many features on a regular basis. The only thing… my muscle memory needs some more time to adjust.

Hello future me 👋

You might wonder where all the files e.g. /boot/vmlinuz-linux, /boot/amd-ucode.img, /boot/initramfs-linux.img and the boot loader configs in /boot/loader/entries are gone.

I changed everything to Unified kernel images, by primarily changing the file /etc/mkinitcpio.d/linux.preset to generate the UKI. I also told the generation of /boot/vmlinuz-linux to be placed in /usr/local/share/boot/vmlinuz-linux instead, by setting ALL_kver="/usr/local/share/boot/vmlinuz-linux". The newly generated files will end up in /boot/EFI/Linux/arch-linux.efi and /boot/EFI/Linux/arch-linux-fallback.efi. systemd-boot will pick up these automatically. So no further entries are needed. Since, there are no boot loader entries any more, we must tell the system somehow about our cmdline. This is done in /etc/cmdline.d/*.conf. This files are respected by mkinitcpio and are bundled into the mentioned /boot/EFI/Linux/arch-linux*.efi files.

$ cat /etc/cmdline/10-root.conf
rd.luks.name=9c8381f8-7e0f-44f6-be26-655b70d33a32=root root=UUID=a1af7e43-857b-4903-8896-e25484175e5d

$ cat /etc/mkinitcpio.d/linux.preset
ALL_kver="/usr/local/share/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

default_uki="/boot/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

fallback_uki="/boot/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"

While I was there, I decided to get rid of /boot/amd-ucode.img as well. mkinitcpio collects the firmware from /usr/lib/firmware/amd-ucore/ anyways, and packs it into the initramfs. No need to keep the file around. However, /boot/amd-ucode.img is part of the package amd-ucode. I had to tell pacman to don’t extract those files.

$ grep NoExtract /etc/pacman.conf
NoExtract   = boot/*-ucode.img

Those changes do provide nothing but a learning opportunity 😄 And maybe… just maybe… in some point in the future, I will sign everything.

Update 2024-12-23 #

That went faster than expected. I just went on and created some keys and signed my images, roughly following Unified Extensible Firmware Interface / Secure Boot. Using systemd-ukify for signing, and systemd-boot for enrolment.

I decided to create my own files using openssl like documented. But first of all, backed up the my old setup. However, I realized that there is a “Restore to Factory Settings” in the Setup of the Zenbook.

My first attempt were to sign the resulted efi images, as well as the boot loader, with my own keys. Boot worked. However, now Windows for sure doesn’t boot any more.

To fix that, I just grabbed my backed up .esl files and combined the new with the old ones, and sign everything with my Platform Key (PK) or Key Exchange Key (KEK) respectively.

And voilà. A couple of hours and attempts later, Windows boots with Secure Boot enabled. The process took far to long, but I thought, my signing stuff was wrong. However, it turned out the filesystem of my /boot was broken, and ate the windows boot loader. Took me a while to figure it out and find the original to restore my system :grim:

Generate keys #

openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl 2024-12-21 Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer

Create all the efi things #

The old_*.esl were backed up from efi and now included so that Windows and ASUS stuff works. I know… not very secure… but this is only for toying around anyways :)

sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null noPK.auth

cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt new_KEK.esl
cat new_KEK.esl old_KEK.esl > KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth

cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt new_db.esl
# Leaving PK.esl here for now, because how ukify uses the same cert everywhere
cat new_db.esl old_db.esl PK.esl > db.esl

sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt dbx old_dbx.esl dbx.auth

cp db.auth keys/db/
cp dbx.auth keys/dbx/
cp KEK.auth keys/KEK/
cp PK.auth keys/PK/

Verifying everything, but not using sbkeysync for enrolment:

sbkeysync --keystore /etc/secureboot/keys --pk --dry-run --verbose

Enrolment with systemd-boot #

cp keys/*/*.auth /boot/loader/keys/auto/

cat /boot/loader/loader.conf

secure-boot-enroll manual

On reboot, you should see an additionally menu entry, given Secure Boot Setup Mode is enabled.

Signing kernel images #

systemd-ukify must be installed and configured properly.

# cat /etc/kernel/uki.conf

[UKI]
SecureBootPrivateKey=/etc/secureboot/db.key
SecureBootCertificate=/etc/secureboot/db.crt

[PCRSignature:initrd]
PCRPrivateKey=/etc/secureboot/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/secureboot/tpm2-pcr-public-key.pem
Phases=enter-initrd

[PCRSignature:system]
PCRPrivateKey=/etc/secureboot/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/secureboot/tpm2-pcr-public-key.pem
Phases=enter-initrd:leave-initrd
       enter-initrd:leave-initrd:sysinit
       enter-initrd:leave-initrd:sysinit:ready

Manually Signing systemd-boot #

There is no automation in place as of now.

Sign the systemd-bootx64.efi and install systemd-boot.

sbsign \
  --cert /etc/secureboot/db.crt \
  --key /etc/secureboot/db.key \
  /usr/lib/systemd/boot/efi/systemd-bootx64.efi

bootctl install

With all of this in place, systemd-cryptenroll can be used to unseal the luks encrypted disk without requiring the real password.

E.g.

systemd-cryptenroll \
  --tpm2-public-key=/etc/secureboot/tpm2-pcr-public-key.pem \
  --tpm2-with-pin=yes \
  --tpm2-pcrs=7 \
  --tpm2-device=auto /dev/nvme0n1p5

For sure, especially the signing keys should live somewhere else, in a secure space.

I know about nushell for quite a while. Today I installed nushell and gave it a try.

I thoroughly enjoy the hard break with traditional shells. “Everything is data”, the website claims. And this brings up a couple of interesting use cases. nushell supports json (along with a whole lot of other formats) out of the box, and also includes a http client. This makes nushell a perfect fit for browsing json APIs from the command line.

However, there are a bunch of other really interesting use cases. Tools like iproute2 or lsblk allow to output json.

We list all devices in json format and tell nushell to interpret it as json.

lsblk -J | from json

We want to drill into the small nested box with root included.

lsblk -J | from json | get blockdevices.children.0.4.children.0

An absolute great tool to dive into data 😄

You even can tell nushell to output in any known format. For example | to md prints a markdown table.

I think I will find plenty of places where nushell will help me!

Just talking about my personal notebook, at work I’m usually using some kind of macbook.

This November, I decided to retire my trusted Lenovo Thinkpad x230 from about 2013.

Because I’m a heavy terminal user, it was not too much of a deal. For programming, these days I’m on AstroNvim with full blown LSP setup. Which mostly was fast enough for me. However, the trusted gear served me very well over the years, but the difference to a macbook air M1 is just… noticeable.

This month I somehow decided: This is the time! I went online, did a fair bit of research… not too much for sure… and ended up on a ASUS Zenbook UM3406.

Completely new installation #

I made some decisions about my OS. First, I want to keep a small partition for the included Windows 11. And to be perfectly honest. I’m impressed by it, and thought for a second: Maybe just sticking with it and use WSL2? I just can’t stand it 😄

Because, I really have a whole lot of respect for the people behind Universal Blue, I gave the Gnome spin a try. It really works well, but I’m old and a diehard archlinux user… So just installed my beloved distri.

But why do I keep Win 11… I use it for Zwift and it is just too much of a fuff to run it on Linux. Even form me, sometimes things should just work.

Took me three iterations to get both installations correct. Mostly because of being stupid and removing partitions by accident, and letting the Windows installer to pick a too small efi partition.

My last installation of archlinux dates back to 2011, when I installed my pre-pre notebook. This installation, I synced over to the Thinkpad in 2013. So I don’t remember anything about the old installation process. Today, I really liked how simple it is to configure WLAN using iwctl. I opted into doing a full disc encryption, and do not separate /home from /, but creating a single partition with a btrfs. Guess, I’m a btrfs user since 2013.

You might already realized how weird I am. Very old school on one hand, but a sucker for new stuff on the other. This time, I opted into using systemd-homed to manage my home directory. Because using btrfs, being the sole user of this computer, and having full disc encryption, I use subvolume as the storage driver. There are strings attached, and some parts are not yet integrated into other parts. Like there is still account-service, but it is unable to really manage systemd-homed users. I expect things to come closer together in the future. I will get those pretty early, because of the rolling release nature of archlinux.

A brand new terminal emulator #

For convenience purposes, I installed the package group gnome, which includes gnome-console. It works reasonably well, and has a more modern look and feel than my trusted gnome-terminal. The lovely Universal Blue folks brought my attention to ptyxis. I installed it via the gnome-software-center, which is configured to use flathub, because there is no archlinux package yet.

Tested the container features, using distrobox. Feels really nice and snappy. Some features I (unfortunately) cut out, because of using tmux. Here again, old man, old habits. For instance. Ptyxis colourizes the borders red when detecting sudo.

All in all, a great user experience. Did not spend too much time into it… well, because things should just work, and Ghostty is coming. I’m kind of sucker for those kind of new stuff 😄

Using minimal config from the old one #

This time, I decided to only copy over a minimal set of configurations from my old notebook. It proved to be a good decision. For Instance, my Evolution Mail client looks cleaner now, even though they are in the same version.

What’s next? #

This might or might not be my final installation. I still like the approach the lovely folks at Fedora and Universal Blue are taking. But for me, this notebook is not my “I earn money with it”-machine, and I love to have a relatively low level Linux.

I use pkg.go.dev regularly. Sometimes just for finding a package, that I know, but not the full name. One of those is go-spew. I know the package, I know it exists, but I will never be able to keep the full path in my head (for good reasons). Wouldn’t it be great to search from the command line?

gofind is our new friend 😄

❯ gofind spew
spew (github.com/davecgh/go-spew/spew)
    Package spew implements a deep pretty printer for Go data structures to
    aid in debugging.

    Imported by 15,504 | v1.1.1 published on Feb 21, 2018 | ISC

spew (github.com/spewerspew/spew)
    Package spew implements a deep pretty printer for Go data structures to
    aid in debugging.

    Imported by 12 | v0.0.0-...-89b69fb published on May 13, 2023 | ISC

...